Securing Your Storage in 2008? Less is More

Being the founder of the Identity Theft Resource Center (ITRC) has its ups and downs for Linda Foley. On the one hand, she wouldn’t have been compelled to start the organization if it weren’t for her being a victim of the crime, but on the other hand, she’s gotten to hear some pretty good yarns on reasons an identity theft can occur.

Take this one, for example:

A dentist buys a shredder, wishing to get with the times and destroy paper with sensitive patient information on it before throwing it out to be recycled. He delegates the receptionist to do the shredding and is quite pleased with himself for the security upgrade. A week later, the dentist walks by the receptionist’s desk and notices a trash can full of unshredded paper. The dentist asked what happened to the shredder, and the receptionist replied that the patients in the waiting room were complaining the noise it made sounded like a dentist’s drill.

Foley hears hundreds of these stories every year, and each infuriates her because of the simple preventive steps one can take to quash threats.

“Instead of just giving up on the shredding because of patient complaints, why wouldn’t they just move the shredder away from her desk?” Foley asked.

This is the type of logic Foley has tried to hammer into public consciousness since she founded ITRC in 1999. Gaining support, monetarily and from the general public, has been an uphill battle.

“Well, the first grant came from the bank of Linda J. Foley,” she chuckled. “Then, slowly the support and grants came in. A year before we started, in 1998, it wasn’t even against the law to commit identity theft. False impersonation, fraud, forgery were all against the law, but [there was] not a specific identity theft law, either federally or on the state level. Since then, we have seen the acceptance of identity theft as a crime in all 50 states, but we’ve seen many laws being passed on victim recovery as well, which is very rewarding because they’re realizing identity theft is a real problem.”

First and foremost, it’s a storage issue. In the case of the dentist’s office, it was hard paper storage management that compromised patient information, but the notion applies to electronic storage even more. Personal information stored electronically can be mishandled to produce catastrophic results. Where a robbery of hard paper would be a local problem, a robbery electronically can produce an international incident: better to have your MasterCard account used to buy clothes at the mall rather than weapons in Kenya.

When asked about how she’s advising companies to combat electronic storage-based identity theft for 2008, Foley said administrators have to consider a few simple questions.

“What information do you really need? Are you collecting too much information in the first place? Do you really need the Social Security number? Your vet doesn’t need it; a self-storage unit doesn’t need it; your dry cleaner doesn’t need it.”

Foley said she has seen the beginning of communication between businesses, data regulators and law enforcement that supports the idea of a “less is more” approach to what really needs to be stored electronically by a company. Still, she believes it’s up to the companies themselves to protect their information and to collect only the information they need.

“That limits your liability, so at least your attorneys will be very happy with you,” Foley said. “You also have to have a policy of where it’s going to be kept and who is going to get to see it. It should be on an as-needed basis. If they have to use your Social, make sure they at least truncate it. And finally, set a policy for how long you’re going to keep the information and how you’re going to protect the information. Those things lower the risk of identity theft tenfold.”